M365 Entra Security & Governance Specialist

Purpose of the Role:

The M365/Entra Security & Governance Specialist owns the security posture, data governance, and compliance alignment of the customer's Microsoft estate. The role designs and operates Zero Trust controls, threat protection, information protection, insider risk management, and the audit/evidence machinery required to demonstrate alignment with ISO 27001, GDPR, NIST CSF and Microsoft's Secure Score baselines.

The customer processes personal and special-category data on behalf of public-sector programmes. The role therefore carries direct accountability for protecting beneficiary data, ensuring lawful processing within the EEA, and providing evidence of control effectiveness to the customer's Cyber Security team and external auditors. This is a senior, hands-on technical role - not a paper-only governance position.

Requirements Key Technical Responsibilities:

Threat Protection - Microsoft Defender XDR

• Operate Microsoft Defender XDR across Defender for Endpoint, Defender for Office 365 (Plan 2), Defender for Identity, Defender for Cloud Apps, and Defender Vulnerability Management.
• Manage Defender for Endpoint deployment, onboarding (via Intune/GPO/script), attack surface reduction (ASR) rules, EDR in block mode, automated investigation and response (AIR), tamper protection, and live response.
• Tune Defender for Office 365 anti-phishing, Safe Links, Safe Attachments, anti-spoofing, impersonation protection, attack simulation training, and Threat Explorer queries.
• Operate Defender for Identity sensors on domain controllers and ADFS Servers; investigate identity-based attack paths (DCSync, Golden Ticket, Pass-the-Hash) and remediate exposures.
• Operate Defender for Cloud Apps for SaaS discovery, OAuth app governance, conditional access app control (reverse Proxy), session policies, and shadow IT reporting.
• Investigate alerts and incidents in the Defender XDR portal using KQL advanced hunting; build custom detections, suppression rules, and automated playbooks.

SIEM and SOAR - Microsoft Sentinel

• Operate Microsoft Sentinel for the estate: data connectors (M365, Entra, Defender XDR, Azure Activity, Office 365, Threat Intelligence, Syslog/CEF), workspace architecture, retention, and cost optimisation.
• Author analytics rules (scheduled, NRT, Fusion, Microsoft Security), build watchlists, threat intelligence integrations (TAXII/MISP), and User Entity Behaviour Analytics (UEBA).
• Develop KQL detection content aligned to MITRE ATT&CK; operate hunting queries, bookmarks, and incident investigation graphs.
• Build SOAR automation using Azure Logic Apps playbooks for incident enrichment, containment (eg, disable user, force password reset, isolate device), and notification.
• Operate the 24/7 Sentinel-based monitoring stack in collaboration with the NOC analyst function.

Information Protection and Data Governance - Microsoft Purview

• Design and operate Microsoft Purview Information Protection: sensitivity labels, label policies, auto-labelling (client and service-side), encryption with rights management, and co-authoring on encrypted documents.
• Build and tune Data Loss Prevention (DLP) policies for Exchange, SharePoint, OneDrive, Teams chat, Endpoint DLP and Power Platform; manage policy tips, overrides, and incident review.
• Operate Insider Risk Management policies, content Explorer, activity Explorer, and communication compliance where in scope.
• Design retention policies, retention labels, and records management aligned to the customer's records retention schedules and applicable public-sector records management frameworks.
• Operate eDiscovery (Standard and Premium): cases, holds, collections, reviews, custodian management, and chain-of-custody documentation.
• Operate Microsoft Purview Data Map, Data Catalog, and Data Estate Insights for the Microsoft Fabric/Power BI estate, including lineage, classification scans, and Data Loss Prevention for Fabric.
• Maintain audit and reporting using Purview Audit (Standard/Premium), Compliance Manager templates (ISO 27001, GDPR, NIS2), and customer-managed Compliance Manager assessments.

Identity Security and Zero Trust

• Define and maintain the Conditional Access policy baseline using a documented policy framework (Persona-based or Microsoft Zero Trust deployment guidance), including emergency/break-glass access, named locations, and report-only validation.
• Operate Entra ID Protection - sign-in risk, user risk, risk policies, and risk investigation - including alignment with Defender XDR for unified incident view.
• Govern privileged access via PIM, role-assignable groups, access reviews, and Just-In-Time elevation; co-own break-glass account procedures with the AD/Entra Specialist.
• Operate Entra Permissions Management (CIEM) where licensed, providing visibility of multi-cloud permission risk.

Compliance and Audit

• Maintain ISO 27001 control evidence and align with the customer's certification and surveillance audits; act as the technical lead for any audit observation related to the Microsoft estate.
• Maintain GDPR records of processing, support Data Protection Impact Assessments for new applications, and operate technical and organisational measures (TOMs).
• Map controls to NIST CSF, NIS2 (where applicable as an essential/important entity), and Microsoft Secure Score/Identity Secure Score; maintain a target posture and quarterly improvement plan.
• Produce monthly security KPIs for the SLA report - Secure Score trend, MFA coverage, DLP incidents, phishing simulation results, vulnerability remediation, patch compliance - and quarterly executive risk reports.

Microsoft Copilot and AI Governance

• Operate the security envelope for Microsoft 365 Copilot and Copilot Studio including SharePoint sharing hygiene ("oversharing"), sensitivity-label-aware grounding, restricted SearchableContent, and Copilot interaction audit log review.
• Define and enforce a Responsible AI policy aligned with Microsoft's Responsible AI Standard - fairness, reliability, safety, privacy, security, inclusiveness, transparency, and accountability.

Mandatory Technical Skills

• Microsoft Defender XDR (full stack) and Microsoft Sentinel - analytics, hunting (KQL), incident management, and SOAR playbook authoring.
• Microsoft Purview - Information Protection, DLP, Insider Risk, Records Management, eDiscovery, Audit, and Compliance Manager.
• Entra ID security: Conditional Access, MFA, PIM, Identity Protection, External Identities, and Permissions Management.
• Zero Trust architecture knowledge per Microsoft Zero Trust deployment guidance; ability to lead a Zero Trust roadmap discussion with senior stakeholders.
• ISO 27001:2022 control set; GDPR Articles 5, 6, 9, 25, 28, 30, 32-34; awareness of NIS2 and applicable national cyber-security guidance.
• KQL (Kusto Query Language) - fluent across Defender Advanced Hunting, Sentinel, and Log Analytics.
• PowerShell automation across Microsoft Graph Security, ExchangeOnlineManagement, and Compliance modules.

Desirable Technical Skills

• Threat hunting using Sigma rules, MITRE ATT&CK navigator, and STIX/TAXII Intel feeds.
• SOC operations experience - shift handover, evidence preservation, incident life cycle (NIST SP 800-61).
• Familiarity with on-premises PAM (CyberArk, BeyondTrust) and hybrid SOC tooling beyond Microsoft.
• Microsoft Fabric/Purview Data Loss Prevention (Fabric DLP) and AI hub for Purview.
• Familiarity with Cyber Essentials Plus, NCSC Cyber Assessment Framework (CAF), and ENISA guidance.

Required Certifications

• Microsoft Certified: Security Operations Analyst Associate (SC-200) - mandatory.
• Microsoft Certified: Information Protection and Compliance Administrator Associate (SC-400) - mandatory.
• Microsoft Certified: Identity and Access Administrator Associate (SC-300) - mandatory.
• Microsoft Certified: Cybersecurity Architect Expert (SC-100) - preferred.
• ISO/IEC 27001 Lead Implementer or Lead Auditor - preferred.
• CISSP, CISM, or equivalent - desirable.